Disabling PGP in Apple Mail with GPGTools

Researchers have developed code exploiting several vulnerabilities in PGP (including GPG) for email. In response, EFF’s current recommendation is to disable PGP integration in email clients.

Disabling PGP decryption in Apple Mail requires deleting a “bundle” file used by the application. Your existing keys will remain available on your machine.

1. First, click the Mail icon in the dock.

2. Click “Mail” in the menu bar on the top of the screen, and select “Quit Mail.” This is to make sure it’s shut down completely before we continue.

3. Click the Finder icon in the Dock.

4. Click the “Go” menu in the menu bar on the top of the screen, and select “Go to Folder…”

5. This will open the “Go to Folder” window. Type this exact text: /Library/Mail/Bundles

5. At this point, you may see a folder with the “GPGMail.mailbundle” file. (If you don’t, return to step two, and in step 3 instead type exactly ~/Library/Mail/Bundles. You can type the ~ (tilde) character by holding shift and pressing the ` key, located directly below Esc on most keyboards.)

6. Move the file “GPGMail.mailbundle” to the trash, either by dragging it to the trash icon on the dock or by right-clicking it and selecting "Move to Trash."

6. At this point, you may be prompted to type your macOS administrator password. Type it in, and hit the “enter” key.

You may see the file deletion dialogue displayed on the screen.

Once the GPGMail.mailbundle file is in your trash, your emails will not be automatically decrypted in Apple Mail.

Related Updates

The EFF's worry is that the incoming administration will follow through on its campaign promises to increase surveillance and challenge digital security, Cindy Cohn, the organization's executive director, tells Channelnomics. "The informal pressure to dumb down security already exists and some companies are willing to do it," Cohn says. "[The...

This year was one of the busiest in recent memory when it comes to cryptography law in the United States and around the world. But for all the Sturm und Drang, surprisingly little actually changed in the U.S. In this post, we’ll run down the list of things that happened...

This year has been full of developments in messaging platforms that employ encryption to protect users. 2016 saw an increase in the level of security for some major messaging services, bringing end-to-end encryption to over a billion people. Unfortunately, we’ve also seen major platforms making poor decisions for users and...

Laws enacted out of fear, not facts, are a recipe for disaster. That’s what happened with the Computer Fraud and Abuse Act (CFAA)—the federal statute that makes it illegal to break into computer systems to access or alter information. The law’s notoriously vague language has confused courts, chilled...

There's no question that this has been a big year for government hacking. Not a day has gone by without some mention of it in the news. 2016 may forever be remembered as the year when government hacking went so mainstream that Stephen Colbert cracked jokes about Fancy Bear...

Author Malcolm Gladwell recently name-checked the EFF in an articlepublished in The New Yorker. Mr. Gladwell’s piece examines what he sees as the differences between whistle-blowers Edward Snowden and Daniel Ellsberg, and concludes that Snowden doesn’t deserve the respect (or apparently the same legal...

While 2016 may not have been the banner year for cryptographic exploits that 2015 was, researchers around the world continued to advance the state of the art.
TLS 1.3 design finalized The biggest practical development in crypto for 2016 is Transport Layer Security version 1.3. TLS is the...

For the twelfth and final day of the 12 Days of 2FA, we will look at how to enable two-factor authentication on Slack. If you are a member of multiple Slack “teams” (e.g. work.slack.com and school.slack.com), you will need to set up 2FA separately for each account you...

For the tenth day of the 12 Days of 2FA, we’ll go over how to set up two-factor authentication for Bank of America online and mobile banking. Due to unique security needs from bank to bank and user to user, banks tend to call 2FA different things, and...